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PAL i 
REPORT OF AUDIT 
Office of Data Processing 


For the Period 


1 July 1978 - 30 September 1980 
SUMMARY 


1. Financial controls, procedures and records of 
the Office of Data Processing (ODP) were in accordance 
with Agency regulations. Prior audit recommendations, 
with the exception of Some pertaining to disaster 
recovery, were satisfactorily resolved. Minor 
administrative matters, including the need to better 
monitor prior fiscal year unliquidated obligations, were 
discussed with responsible officials and resolved during 
the audit. This report includes comments and 


recommendations concerning the following: 


o formalizing the position of the Operations 


Security Officer 


o completing a written disaster recovery plan 


for the two computer centers 
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o improving fire safety in the Special Center 


o implementing technical data security controls. 
4 


SCOPE 


2. The audit included a review of administrative 
functions to evaluate the effectiveness of controls and 
procedures and to assure compliance with Agency 
regulations. Financial and logistical transactions were 
tested to determine that documentation, approvals and 
certifications were in accordance with applicable 
accounting and reporting requirements and to ensure that 
expenditures were within the scope of authorized 


activities. 


3. The audit also included reviews and tests within 
both computer centers to determine that established 
procedures and other documentation were sufficient, 


adequate and followed to protect against potential 
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security and safety risks. A survey of ODP/Applications 
was performed to identify the standards and procedures 
utilized for application systems development. Because 
the ODP is still in the process of revising their 
applications development standards, no tests were 
conducted to determine use or compliance with the 


standards. 


BACKGROUND 


4. ODP provides a central computer service to 
Satisfy automatic data processing (ADP) requests from 
Agency components and to satisfy Intelligence Community 
requirements as assigned. In performing this service ODP 


25X1 


had a personnel ceiling 


o review and coordinate Agency proposals for the 
acquisition of computer hardware (including 
word processing equipment), software, and 


services; 
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© operate two computer centers (Ruffing and Special) 
to provide facilities and services for batch and 
interactive computer processing, data base management, 


and on-line information storage and retrieval; 


o perform analysis of requirements for ADP services, 
develop and implement application systems , and 
perform maintenance and production control of 
completed application programs. 

5. The ODP's operating budget for Fiscal Year 1980 


is summarized as follows: 25X41 
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DETAILED COMMENTS 


Operations Security Officer 
7 7 
ae ee 
7. During the audit numerous potential 
security weaknesses and safety hazards were observed in 
the two computer centers (primarily in the Ruffing 
Senter When these problems were brought to the 
attention of the ODP/Operations Security Officer, they 
were promptly corrected. The position of Operations 
Security Officer was established by ODP on a temporary 


basis to develop and implement a security awareness 


program for the two computer centers. By ODP's account 


” 


the security awareness program is successful. The 
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continuous enforcement of security and safety practices 
is of vital importance to the Agency. The ODP should 
formalize the position of Operations Security Officer by 
making it a permanent position, by writing a job 


description, and by giving the incumbent clear lines of 


authority. 

or Recommendation #1: Formally designate a position 
} as Operations Security Officer and have the 

} incumbent report to the Deputy Director ODP/ 


é 


| Processing to ensure adequate authority to 
LL administer an operations security program. 


Disaster Recovery Plan 


8. The prior report of audit discussed the 
need for a disaster recovery plan to minimize the 
magnitude of service interruption in ai emergency 
situation. ODP informed the Audit Staff that they would 
develop a methodology for determining the Agency's 
emergency ADP requirements; prepare and cost out a plan; 
and with higher management approval undertake the 


necessary preparation to execute the plan. The ODP has 


developed a disaster plan that relies on moving critical 
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applications to a surviving center. But ODP has not 
identified or prioritized the critical applications; 
planned for the move; nor tested the compatability of 
either computer center with the other's data. Until these 
steps are completed the current disaster plan can not be 
considered sufficient for actual use in an emergency. 
“ Recommendation #2: Identify and prioritize the 
Agency's emergency ADP requirements and develop 
esmuaare 


written operating procedures to ensure a 


successful exchange of applications between the 
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two computer centers. Also provide for periodic 


updates and tests of the plan after development. 


Fire Safety 


” 


9. Improvements in fire safety are needed in the 
Special Center. The Special Center is so filled with 
computer hardware and data storage material that in case 
of fire it is questionable if employees could make a safe 
and orderly exit from the center. Safe exit from the 
tape library is particularly doubtful. The ODP is aware 


of the problem, and have requested an architectual study to 
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provide sufficient and adequate emergency exits. Until 

that study is completed ODP should continue to identify 
ash ways to improve fire safety within the Special Center. 
Recommendation #3: Continue efforts to improve fire safety 


vn within the Special Center. 


Data Security Controls 


10. For many years the ODP has recognized that 
technical security controls to protect sensitive data 
were inadequate. In lieu of sufficient technical 
controls manual procedures were applied. Recently 
improved technical security control systems have become 
available. The ODP currently is installing one such 
system called Access Control Facility ~- 2 (ACF-2). The 
ACF~2 requires a prolonged and carefully coordinated 
implementation. Once fully implemented, ACF~2 should 
significantly improve the security of sensitive 
computerized data. No additional recommendation is 


required. 


SECRET 


Approved For Release 2003/12/03 : CIA-RDP84-00933R000100290011-0 


25X1 Approved For Release 2003/12/03 : CIA-RDP84-00933R000100290011-0 


Next 1 Page(s) In Document Exempt 


Approved For Release 2003/12/03 : CIA-RDP84-00933R000100290011-0 


